Problem with mschap, ntlm_auth and a conditional syntax

latin at icis.pcz.pl latin at icis.pcz.pl
Tue Apr 10 02:14:33 CEST 2007 

Hello,

I use ntlm_auth in mschapv2 (freeradius 20070409) by the following line in
radiusd.conf:
ntlm_auth = "/usr/local/eduroam/progs/ntlm/ntlm_auth.pl --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"

A corresponding part of debug from radiusd -X is:

  rlm_mschap: Told to do MS-CHAPv2 for uzyszkodnik at latin.pcz.pl with
NT-Password
radius_xlat:  '--username=uzyszkodnik'
radius_xlat: Running registered xlat function of module mschap for string
'Challenge:-00'
  rlm_mschap: Unknown expansion string "Challenge:-00"
radius_xlat:  '--challenge='
radius_xlat: Running registered xlat function of module mschap for string
'NT-Response:-00'
  rlm_mschap: Unknown expansion string "NT-Response:-00"
radius_xlat:  '--nt-response='
Exec-Program output: Specify all required command line parameters!
Exec-Program-Wait: plaintext: Specify all required command line parameters!
Exec-Program: returned: 1

When I remove conditional syntax:
ntlm_auth = "/usr/local/eduroam/progs/ntlm/ntlm_auth.pl --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response}"

an athentication operates correctly:

  rlm_mschap: Told to do MS-CHAPv2 for uzyszkodnik at latin.pcz.pl with
NT-Password
radius_xlat:  '--username=uzyszkodnik'
radius_xlat: Running registered xlat function of module mschap for string
'Challenge'
 mschap2: ca
radius_xlat:  '--challenge=1d6796d06b4bab53'
radius_xlat: Running registered xlat function of module mschap for string
'NT-Response'
radius_xlat: 
'--nt-response=69bbd30b6a06d6be5cc2fb88c658c1582da5a8a91ebcbee8'
Exec-Program output: NT_KEY: 9d1f2ebc255b18c110a446e5de42389e NT_KEY:
9D1F2EBC255B18C110A446E5DE42389E
Exec-Program-Wait: plaintext: NT_KEY: 9d1f2ebc255b18c110a446e5de42389e
NT_KEY: 9D1F2EBC255B18C110A446E5DE42389E
Exec-Program: returned: 0

I tested freeradius 1.1.4 with conditional syntax:
ntlm_auth = "/usr/local/eduroam/progs/ntlm/ntlm_auth.pl --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"

It's OK:

  rlm_mschap: Told to do MS-CHAPv2 for uzyszkodnik at latin.pcz.pl with
NT-Password
radius_xlat:  '--username=uzyszkodnik'
radius_xlat: Running registered xlat function of module mschap for string
'Challenge'
 mschap2: af
radius_xlat:  '--challenge=eebe17185aaa4366'
radius_xlat: Running registered xlat function of module mschap for string
'NT-Response'
radius_xlat: 
'--nt-response=f668c0b7b4e32deeb49529c2f3295699561589836d73f474'
Exec-Program output: NT_KEY: 9d1f2ebc255b18c110a446e5de42389e NT_KEY:
9D1F2EBC255B18C110A446E5DE42389E
Exec-Program-Wait: plaintext: NT_KEY: 9d1f2ebc255b18c110a446e5de42389e
NT_KEY: 9D1F2EBC255B18C110A446E5DE42389E
Exec-Program: returned: 0


Lukasz Lacinski

More information about the Freeradius-Users mailing list